A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:

Step 1 – capture a forensic memory image and disk images

Create the Firewire memory imager from the Passware Kit on a USB Stick

Connect the target computer to the forensic computer using a Firewire cable

Boot the forensic computer off the USB stick from step 1 to capture the image

Create disk images using tools such as Encase

Step 2 – Decrypt the disk images

Click “Recover Hard Disk Passwords” within the Passware Kit

Select Bitlocker or Truecrypt

Select the memory image file, and the disk image file

Click Next – Passware will now decrypt the disk image.

This is, to my knowledge, the first commercial implementation (or should that be exploitation?) of the Firewire memory attack, and should be considered by anyone intending to use products such as Bitlocker or Truecrypt, without making sure they implement them in a way which prevents this kind of exploitation. As always, encryption is no use without proper pre-boot authentication.

Who?

Simon Hunt is the VP and Chief Technology Officer for McAfee Endpoint Protection, and formally the CTO for SafeBoot International. Simon has been designing, implementing and speaking about data security since 1996. You can read my full Bio.